diff --git a/pegasus-2.13.0-SSLGeneration.patch b/pegasus-2.13.0-SSLGeneration.patch new file mode 100644 index 0000000..384f521 --- /dev/null +++ b/pegasus-2.13.0-SSLGeneration.patch @@ -0,0 +1,167 @@ +From 3a3e6ecb1ab65513625732e11a0da2b42328107b Mon Sep 17 00:00:00 2001 +From: Stephen Gallagher +Date: Tue, 10 Dec 2013 09:09:58 -0500 +Subject: [PATCH] Update SSL certificate generation + +We will now generate x509v3 certificates with the CA:FALSE +constraint. This will allow us to automatically load it into a +local trust store safely. In order to do this, instead of creating +a true self-signed certificate, we will generate a private CA +certificate and sign the service with that. +--- + rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec | 118 +++++++++++++++++++------ + 1 file changed, 89 insertions(+), 29 deletions(-) + mode change 100644 => 100755 rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec + +diff --git a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec +old mode 100644 +new mode 100755 +index 81e6635936b77ddc486b217260fba59b23cf2a20..cd7e9b8e9ad9d0da95efc6d4e70dd77bda15278e +--- a/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec ++++ b/rpm/tog-specfiles/tog-pegasus-genSSLCerts.spec +@@ -4,22 +4,31 @@ + # Creates a default ssl.cnf file. + # Generates a self-signed certificate for use by the cimserver. + # +-cnfChanged=0; +-if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then +- mkdir -p ${PEGASUS_INSTALL_LOG%/*} +- mkdir -p $PEGASUS_CONFIG_DIR +- echo "[ req ]" > $PEGASUS_CONFIG_DIR/ssl.cnf ++ ++function create_ssl_cnf #(config_file, CN) ++{ ++ SSL_CFG=$1 ++ CA=$2 # Add a second argument to differentiate issuer from subject ++ ++ # Create OpenSSL configuration files for generating certificates ++ echo "[ req ]" > $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "distinguished_name = req_distinguished_name" >> \ +- $PEGASUS_CONFIG_DIR/ssl.cnf +- echo "prompt = no" >> $PEGASUS_CONFIG_DIR/ssl.cnf +- echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/ssl.cnf +- echo "C = UK" >> $PEGASUS_CONFIG_DIR/ssl.cnf +- echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/ssl.cnf +- echo "L = Reading" >> $PEGASUS_CONFIG_DIR/ssl.cnf ++ $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "prompt = no" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ ++ # Include support for x509v3 so we can differentiate CA certificates ++ # from service certificates ++ echo "req_extensions = v3_req" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "x509_extensions = v3_ca" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ ++ echo "[ req_distinguished_name ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "C = UK" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "ST = Berkshire" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "L = Reading" >> $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "O = The Open Group" >> \ +- $PEGASUS_CONFIG_DIR/ssl.cnf ++ $PEGASUS_CONFIG_DIR/$SSL_CFG + echo "OU = The OpenPegasus Project" >> \ +- $PEGASUS_CONFIG_DIR/ssl.cnf ++ $PEGASUS_CONFIG_DIR/$SSL_CFG + DN=`hostname`; + if [ -z "$DN" ] || [ "$DN" = "(none)" ]; then + DN='localhost.localdomain'; +@@ -30,30 +39,81 @@ if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then + FQDN="$DN"; + fi; + # cannot use 'hostname --fqdn' because this can hang indefinitely +- echo "CN = $FQDN" >> $PEGASUS_CONFIG_DIR/ssl.cnf +- chmod 400 $PEGASUS_CONFIG_DIR/ssl.cnf +- chown root $PEGASUS_CONFIG_DIR/ssl.cnf +- chgrp root $PEGASUS_CONFIG_DIR/ssl.cnf ++ # Hack the $CA onto the end of the CN so we differentiate the issuer ++ # of the signature from the subject ++ echo "CN = $FQDN$CA" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ ++ # Add x509v3 extensions ++ echo "[ v3_req ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "basicConstraints = CA:FALSE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "[ v3_ca ]" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "subjectKeyIdentifier=hash" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "authorityKeyIdentifier=keyid:always,issuer" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++ echo "basicConstraints = CA:TRUE" >> $PEGASUS_CONFIG_DIR/$SSL_CFG ++} ++ ++cnfChanged=0; ++if [ ! -e $PEGASUS_CONFIG_DIR/ssl.cnf ]; then ++ mkdir -p ${PEGASUS_INSTALL_LOG%/*} ++ mkdir -p $PEGASUS_CONFIG_DIR ++ ++ create_ssl_cnf ssl-ca.cnf CA ++ create_ssl_cnf ssl-service.cnf ++ ++ chmod 400 $PEGASUS_CONFIG_DIR/ssl-*.cnf ++ chown root $PEGASUS_CONFIG_DIR/ssl-*.cnf ++ chgrp root $PEGASUS_CONFIG_DIR/ssl-*.cnf + cnfChanged=1; + fi + if [ $cnfChanged -eq 1 ] || \ + [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ] || \ + [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ]; then +- /usr/bin/openssl req -x509 -days 3650 -newkey rsa:2048 \ +- -nodes -config $PEGASUS_CONFIG_DIR/ssl.cnf \ +- -keyout $PEGASUS_PEM_DIR/key.pem \ +- -out $PEGASUS_PEM_DIR/cert.pem 2>>$PEGASUS_INSTALL_LOG +- chmod 700 $PEGASUS_PEM_DIR/*.pem +- cp -fp $PEGASUS_PEM_DIR/cert.pem \ +- $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE +- cp -fp $PEGASUS_PEM_DIR/key.pem \ +- $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE ++ # Create private key for the CA certificate ++ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/ca-key.pem 2048 ++ ++ # Create CA certificate: ++ /usr/bin/openssl req -new -x509 -days 3650 \ ++ -key $PEGASUS_PEM_DIR/ca-key.pem \ ++ -out $PEGASUS_PEM_DIR/ca.crt \ ++ -config $PEGASUS_CONFIG_DIR/ssl-ca.cnf ++ ++ # Create private key for the service certificate ++ /usr/bin/openssl genrsa -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE 2048 ++ ++ # Create a signing request for the service certificate ++ /usr/bin/openssl req -new \ ++ -config $PEGASUS_CONFIG_DIR/ssl-service.cnf \ ++ -key $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE \ ++ -out $PEGASUS_PEM_DIR/server.csr ++ ++ # Sign the request with the CA certificate ++ /usr/bin/openssl x509 -req -days 3650 \ ++ -in $PEGASUS_PEM_DIR/server.csr \ ++ -CA $PEGASUS_PEM_DIR/ca.crt \ ++ -CAkey $PEGASUS_PEM_DIR/ca-key.pem \ ++ -CAcreateserial \ ++ -out $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \ ++ -extfile $PEGASUS_CONFIG_DIR/ssl-ca.cnf ++ ++ # Set file permissions appropriately + chmod 400 $PEGASUS_PEM_DIR/$PEGASUS_SSL_KEY_FILE +- chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE +- rm -f $PEGASUS_PEM_DIR/key.pem $PEGASUS_PEM_DIR/cert.pem ++ chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE ++ ++ # Remove the certificate signing request ++ # It is not needed after the signature is complete ++ rm -f $PEGASUS_PEM_DIR/server.csr ++ ++ # Remove the private key for the CA certificate ++ # This will ensure that it cannot be used to sign any other ++ # (possibly suspicious) certificates ++ # This does mean that generating a new certificate for this ++ # service will need a new CA cert, but most real deployments ++ # will use real infrastructure. ++ rm -f $PEGASUS_PEM_DIR/ca-key.pem ++ + fi; + if [ ! -e $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE ]; then +- cp -fp $PEGASUS_PEM_DIR/$PEGASUS_SSL_CERT_FILE \ ++ cp -fp $PEGASUS_PEM_DIR/ca.crt \ + $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE + chmod 444 $PEGASUS_PEM_DIR/$PEGASUS_SSL_TRUSTSTORE; + fi; +-- +1.8.4.2 + diff --git a/tog-pegasus.spec b/tog-pegasus.spec index 29a3f5b..8ccb5ab 100644 --- a/tog-pegasus.spec +++ b/tog-pegasus.spec @@ -8,7 +8,7 @@ Name: tog-pegasus Version: %{major_ver}.0 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 2 Summary: OpenPegasus WBEM Services for Linux @@ -81,11 +81,21 @@ Patch29: pegasus-2.13.0-enable-subscriptions-for-nonprivileged-users.patc BuildRequires: procps, libstdc++, pam-devel BuildRequires: openssl, openssl-devel +# 30: Create x509v3 self-signed certificates with CA:FALSE +Patch30: pegasus-2.13.0-SSLGeneration.patch + +BuildRequires: bash, sed, grep, coreutils, procps, gcc, gcc-c++ +BuildRequires: libstdc++, make, pam-devel +BuildRequires: openssl-devel BuildRequires: net-snmp-devel, openslp-devel BuildRequires: systemd-units -Requires: net-snmp-libs, openssl +Requires: net-snmp-libs Requires: %{name}-libs = %{epoch}:%{version}-%{release} +Requires: ca-certificates Provides: cim-server = 1 +Requires(post): /usr/bin/update-ca-trust +Requires(post): /usr/bin/openssl +Requires(post): /sbin/ldconfig %description OpenPegasus WBEM Services for Linux enables management solutions that deliver @@ -112,6 +122,7 @@ Group: System Environment/Libraries Conflicts: libcmpiCppImpl0 Requires(pre): /usr/sbin/useradd Requires(pre): /usr/sbin/groupadd +Requires(post): /sbin/ldconfig %description libs The OpenPegasus libraries. @@ -212,6 +223,7 @@ yes | mak/CreateDmtfSchema 238 %{SOURCE9} cim_schema_2.38.0 %patch27 -p1 -b .build-fix %patch28 -p0 -b .PG_ComputerSystem.CreationClassName %patch29 -p1 -b .enable-subscriptions-for-nonprivileged-users +%patch30 -p1 -b .genssl %build @@ -327,6 +339,12 @@ make prestarttests %ghost /etc/Pegasus/client.pem %ghost /etc/Pegasus/server.pem %ghost /etc/Pegasus/file.pem +%ghost /etc/Pegasus/ca.crt +%ghost /etc/Pegasus/ca.srl +%ghost /etc/Pegasus/client.srl +%ghost /etc/Pegasus/ssl-ca.cnf +%ghost /etc/Pegasus/ssl-service.cnf +%ghost /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem %ghost %attr(0640, root, pegasus) /etc/Pegasus/cimserver_trust %ghost %attr(0640, root, pegasus) /etc/Pegasus/indication_trust %ghost %attr(0640, root, pegasus) /etc/Pegasus/crl @@ -396,7 +414,12 @@ if [ $1 -ge 1 ]; then if [ ! -e /etc/Pegasus/ssl.cnf ] || [ ! -e /etc/Pegasus/server.pem ] || [ ! -e /etc/Pegasus/file.pem ] || [ ! -e /etc/Pegasus/client.pem ]; then if [ -x /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts ]; then + # Create self-signed certificates for initial usage /usr/share/Pegasus/scripts/genOpenPegasusSSLCerts + # Add the self-signed certificate to the local trust store + cp /etc/Pegasus/ca.crt \ + /etc/pki/ca-trust/source/anchors/localhost-pegasus.pem + /usr/bin/update-ca-trust extract fi; fi; fi @@ -481,6 +504,10 @@ fi %changelog +* Thu Mar 06 2014 Stephen Gallagher - 2:2.13.0-8 +- Generate SSL certificates with x509v3 and CA:FALSE +- Automatically import self-signed certificates into local trust-store + * Thu Jan 30 2014 Vitezslav Crhonek - 2:2.13.0-7 - Add Platform_LINUX_XSCALE_GNU.h to -devel because of lmiwbem on arm